The feature at admin/user/ucreate is great.

I think a related feature would be to limit which roles can be granted by someone with this role. Most sites have an "admin" role (especially starting with Drupal 7). Therefore, using this module and letting someone assign roles essentially lets them takeover the whole site because they could create a new account for themselves with the higher roles.

Posting here for feedback. I may be able to provide the work as well.

Comments

alex_b’s picture

Great feature. I'd happily accept a patch.

greggles’s picture

Status: Active » Needs review
StatusFileSize
new3.91 KB

And here it is. I included a new section in the README.txt and updated the README a bit.

Moving your e-mail to the bottom of the file is not meant to be an insult in any way, but I feel it fits with presenting the most important information at the top of the file. Certainly we want people to know what the module does and how to install it before the start e-mail you and Felix ;)

alex_b’s picture

Status: Needs review » Needs work

Patch #2 requires a user to have 'assign user roles' permission and a specific permission 'assign X role'.

That's an AND behavior unusual in Drupal and breaks backwards compatibility - I think we should change it. Otherwise the patch looks good.

greggles’s picture

Status: Needs work » Needs review
StatusFileSize
new5.3 KB

The logic feels a bit weird to do that, but I think I've got it.

Also updated the README to explain this and to use "e.g." where I had used "i.e."

ailgm’s picture

I've tried the patch in #4, and it appears to work perfectly. Thanks.

Anonymous’s picture

StatusFileSize
new2.21 KB

I can verify that the patch in #4 works. I've attached a slight modification to #4 to clarify what each permission does.

jmiccolis’s picture

Status: Needs review » Needs work

The patch needs a little work yet. In `ucreate_user_form()` it appear to be checking for the wrong permission and so doesn't offer any role options to users that do have the 'assign any user role' permission.

Additionally, I spoke with alex_b and he's of the opinion that if we're going to change the name of an existing permission we should provide an update script to capture this change.

greggles’s picture

fwiw, I'm no longer interested in working on this.

jmiccolis’s picture

Status: Needs work » Closed (won't fix)

Ok, my sense is that we should table this feature. I was talking with Alex, about the future of this module and what we wanted to change in the D7 version. Basically we both agree that it's something of a shame that the module exists at all, and that to the degree that we need it we should keep the scope really strictly limited. Ucreate was never meant to be a management module, but rather just to provide a way for non-users to add their friends/colleagues. From the perspective the psuedo-administrative feature that have been smuggled in are rather out of place.

To make it still worse, the role management features as they exist now don't provide a complete system for the non-admin users the module is targeted toward. For example if I'm a user with the ucreate 'create user' permission as well as 'assign user role X` (where `X` is a role that exists) I'd be able to grant that role to new users, but not existing ones. Filling this gap is really way beyond the initial scope of the module, and not something that I think we should add.

So, I'm going to set this issue to "won't fix" and let's plan on keeping the scope in tight check as we move to D7.

zumph’s picture

I tried the last patch that tristanoneil submitted and had no problem when patching. I get the new permissions to choose which roles they are able to give but then the create user page contains no roles. There seem to be some problems with the permission because when i enable administer users in permission I at least get to choose which role the user should have. But there are no restrictions to which role to add. I have tried a lot and cant figure out what the problem is. I am supposed to patch the beta3 version right? I also tried it with beta4 but no luck...

greggles’s picture

@zumph, note that this feature is marked "won't fix" - rather than trying to get it to work you should be campaigning to re-open it.

zumph’s picture

i'm new to drupal. what does that mean?

greggles’s picture

That means the module maintainers do not plan to add the feature into the module. You could work to make the patch work and keep it and re-apply it to the module every time you upgrade, but it will be a lot of work and may require you to fix the patch in the future.

So, if you like this feature you should provide ideas for why it should be included.

zumph’s picture

If anyone is interested in applying this patch, here is what I found was wrong. First apply the patch that was posted last in this thread. Then open ucreate.module and go to the ucreate_user_form(). Change 'assign the role' to 'assign user role'.

greggles’s picture

Title: limit the roles that can be created » limit the roles that can be created (i.e. prevent privilege escalation)
Status: Closed (won't fix) » Needs work

Now that the module has new maintainers, let's revisit this idea.

* Should we do something?
* If so, what's the best way to limit the privilege escalation

eric_sea’s picture

While this has a status of "closed(won't fix)" it is worth noting that the ucreate module is an actively used within the current Drupal 6 version of the installation profile "Open Atrium"--with it 'managers' can create users without having to be granted additional administrator access & permissions.

Without the patch above, those managers have the power to create Administrators with greater permissions than their own.

greggles’s picture

@eric_sea I re-opened it :)

hongpong’s picture

see #1760806: Improving U Create user role assignment for my patch that can help with this (needs review).